Three data loss prevention tools reviewed

Data loss prevention (DLP) is an emerging field with a lot of different products and players. The idea is to stop information from leaving your internal networks in close to real time, so you can identify the leaker or thief before too much damage (and ensuring lawsuits) happen.

A recent study by DLP vendor Proofpoint found that more than third of the respondents had an incident in the last year, and a quarter of them had investigated leaked information as a result of a blog post.

There are more than a dozen different DLP vendors. We show you three typical products, how they work, and what kinds of information they track.

Global Velocity's GV-2010 security appliance,

BlueCoat Networks DLP appliance, and

Sendmail's Sentrion email server.

Each is designed for somewhat different situations, which is why we have collected them together. Before you dive into these products, you might want to address the following questions:

Who will own the DLP process in your organization: Will it be the general IT staff, the infrastructure management group, the desktop security group, or some other combination? Depending on this ownership might compel a particular collection of DLP products.

Where does DLP presently touch your existing IT security infrastructure? Most firewalls and email servers have some DLP capabilities; the tricky part is being consistent across your enterprise and getting a specialized DLP product that can complement and in some cases work with these legacy devices.

Are you looking at total DLP protection, for endpoints, data in motion and file server data? No single product can handle all of these situations; so how each vendor partners and integrates with others for complete coverage is critical.

Do you want something to decrypt emails and https traffic? Not all products can see inside these protocols without some additional work.

All three products have the ability to scan for particular character strings (like a Social Security or credit card pattern) and also upload sensitive documents into their protective scanning engines to ensure that this specific unstructured information is also protected. Another typical situation is where a rogue employee will send a customer database list to their personal Gmail or Yahoo mail account, and then downloads or forwards this information once they get home. Each product has a variety of reports to show you incidents flagged by the protective policies and what information was leaked.

All three also have mechanisms to test new policies to ensure that they are actually protecting you under the specific circumstances that you intended. This is very useful; otherwise you could end up with a lot of false positive incident reports to plow through. Once you have tested a particular policy, all of them make it fairly easy to activate the policy and have it start working across your data streams.

Sendmail's Sentrion is a high-powered email server that takes the code base of Sendmail – found in any Linux server – and bulks it up with a series of powerful mail processing policies. Some of these can be used to scan outgoing messages for particular character strings, or data types, to ensure that confidential data doesn't get emailed outside of your domain.

Sentrion has very powerful mail processing policies, as you can see here we can specify a variety of conditions to be met to trigger a particular DLP incident.

Sendmail has partnered with a variety of vendors, including Voltage Security, to handle decrypting emails to ensure that no one is hiding sensitive information inside these messages. They also have an extensive collection of add-on applications in their own AppStore, patterned after Apple. For example, one called the DLP bundle also includes RPost, software that can send registered return email receipts. But Sentrion is email-centric: if you want endpoint protection (such as to flag when an employee steals data on a USB stick), or protection for emails sent over Webmail providers such as Gmail and Hotmail, you will need something else.

Global Velocity is a relatively new player in the security space that is used to monitor all of your network traffic, such as who is using Facebook during a particular time of day. This can be useful if you are trying to track a suspect staffer. You can have policies to examine particular file server directories that house sensitive content, such as the shared files used by your human resources or executive compensation departments, and then report when someone accesses this content or attaches a document to an email message.

You can track particular actions by IP address in the Global Velocity product. Here you see the files that one particular user has sent, along with the destination and which particular protection policy was triggered.

The downside to Global Velocity is that it comes with just a few pre-set data types, although they are adding new ones continually. The ability to actually block data is still a beta feature but should be in the product by October. They also don't have any mechanism for handling encrypted data, but are working on that too.

Finally, there is BlueCoat's DLP solution. It comes with lots of pre-set data types, such as social security or credit card accounts, along with dozens of different policy templates. Your policy can be set up to allow, report, or block the particular action, and the product even has customizable block messages too. The BlueCoat DLP product is based on the CodeGreen engine and can work with BlueCoat's Proxy SG server to decrypt and classify messages. It contains policies to handle both inbound and outbound traffic on a variety of protocols and to examine Webmail and FTP traffic as well as standard email and Web.

BlueCoat has a wide collection of protocols that can be protected with its appliance.

Both BlueCoat's and Sendmail's devices can be setup to automatically encrypt messages that have sensitive information before they leave your domain. That is a nice touch and something that might get more people into using encrypted emails for these conversations.

As you can see, there is a lot under the covers that make these DLP products work. Understanding how they fit in with what security devices you already have, such as an email server or a firewall, will be the first step in evaluating which one will make the most sense for your particular needs.

David Strom has been contributing to Computerworld off and on since 1996, and has been the editor-in-chief at Network Computing and Tom's Hardware.com. He can be reached via his website strominator.com.